# syntax=docker/dockerfile:1.7
FROM python:3.13-slim AS builder

# uv ships static binaries; pin a version for reproducibility.
COPY --from=ghcr.io/astral-sh/uv:0.4.27 /uv /usr/local/bin/uv

WORKDIR /app

ENV UV_PROJECT_ENVIRONMENT=/opt/venv \
    UV_LINK_MODE=copy \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

# Install only the dependencies first so the layer is cached when the
# source tree changes.
COPY pyproject.toml uv.lock ./
RUN uv sync --frozen --no-dev --no-install-project

# Now copy the source tree and install the project itself.
COPY src ./src
COPY README.md ./
RUN uv sync --frozen --no-dev


FROM python:3.13-slim AS runtime

RUN apt-get update \
    && apt-get install -y --no-install-recommends sqlite3 ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Non-root user with a stable UID for volume permissions.
RUN useradd --system --uid 10001 --home-dir /app --shell /usr/sbin/nologin bite
WORKDIR /app

ENV PATH=/opt/venv/bin:$PATH \
    PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    CERBERO_BITE_CORE_TOKEN_FILE=/run/secrets/core_token

COPY --from=builder /opt/venv /opt/venv
COPY --from=builder /app/src /app/src
COPY scripts /app/scripts
COPY strategy.yaml /app/strategy.yaml

# Persistent state + audit go into /app/data, mounted as a volume in
# docker-compose.yml.
RUN mkdir -p /app/data/log /app/data/backups \
    && chown -R bite:bite /app

USER bite

# The healthcheck rides on the same Click entrypoint: it queries the
# SQLite singleton and exits 0/1 based on kill_switch + last_health_check.
HEALTHCHECK --interval=60s --timeout=5s --start-period=120s --retries=3 \
    CMD ["cerbero-bite", "healthcheck", "--db", "/app/data/state.sqlite"]

ENTRYPOINT ["cerbero-bite"]
CMD ["status"]
